[sandbox] Unsandboxify CodeEntryPoint

For code pointers, the sandbox will require a custom, lightweight CFI
mechanism (likely based on the external pointer table). Simply turning
all code pointers into ExternalPointers is not sufficient.
This CL therefore turns code pointers back into raw pointers for now so
that they don't block the external pointer table rollout.

Bug: v8:10391
Change-Id: Ib2ba246be546bbf19fcd0f4ae20f4e9a2cf2e099
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3859348
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82775}

include/v8-internal.h

@@ -383,15 +383,14 @@ constexpr uint64_t kAllExternalPointerTypeTags[] = {
   V(kForeignForeignAddressTag,            unsandboxed, TAG(10)) \
   V(kNativeContextMicrotaskQueueTag,        sandboxed, TAG(11)) \
   V(kEmbedderDataSlotPayloadTag,            sandboxed, TAG(12)) \
-  V(kCodeEntryPointTag,                   unsandboxed, TAG(13)) \
-  V(kExternalObjectValueTag,                sandboxed, TAG(14)) \
-  V(kCallHandlerInfoCallbackTag,            sandboxed, TAG(15)) \
-  V(kAccessorInfoGetterTag,                 sandboxed, TAG(16)) \
-  V(kAccessorInfoSetterTag,                 sandboxed, TAG(17)) \
-  V(kWasmInternalFunctionCallTargetTag,     sandboxed, TAG(18)) \
-  V(kWasmTypeInfoNativeTypeTag,             sandboxed, TAG(19)) \
-  V(kWasmExportedFunctionDataSignatureTag,  sandboxed, TAG(20)) \
-  V(kWasmContinuationJmpbufTag,             sandboxed, TAG(21))
+  V(kExternalObjectValueTag,                sandboxed, TAG(13)) \
+  V(kCallHandlerInfoCallbackTag,            sandboxed, TAG(14)) \
+  V(kAccessorInfoGetterTag,                 sandboxed, TAG(15)) \
+  V(kAccessorInfoSetterTag,                 sandboxed, TAG(16)) \
+  V(kWasmInternalFunctionCallTargetTag,     sandboxed, TAG(17)) \
+  V(kWasmTypeInfoNativeTypeTag,             sandboxed, TAG(18)) \
+  V(kWasmExportedFunctionDataSignatureTag,  sandboxed, TAG(19)) \
+  V(kWasmContinuationJmpbufTag,             sandboxed, TAG(20))
 
 // All external pointer tags.
 #define ALL_EXTERNAL_POINTER_TAGS(V) \

src/codegen/arm64/macro-assembler-arm64.cc

@@ -2343,11 +2343,8 @@ void TurboAssembler::LoadCodeDataContainerEntry(
   ASM_CODE_COMMENT(this);
   CHECK(V8_EXTERNAL_CODE_SPACE_BOOL);
 
-  LoadExternalPointerField(
-      destination,
-      FieldMemOperand(code_data_container_object,
-                      CodeDataContainer::kCodeEntryPointOffset),
-      kCodeEntryPointTag);
+  Ldr(destination, FieldMemOperand(code_data_container_object,
+                                   CodeDataContainer::kCodeEntryPointOffset));
 }
 
 void TurboAssembler::LoadCodeDataContainerCodeNonBuiltin(

src/codegen/code-stub-assembler.cc

@@ -14832,9 +14832,8 @@ TNode<CodeT> CodeStubAssembler::GetSharedFunctionInfoCode(
 TNode<RawPtrT> CodeStubAssembler::GetCodeEntry(TNode<CodeT> code) {
 #ifdef V8_EXTERNAL_CODE_SPACE
   TNode<CodeDataContainer> cdc = CodeDataContainerFromCodeT(code);
-  return LoadExternalPointerFromObject(
-      cdc, IntPtrConstant(CodeDataContainer::kCodeEntryPointOffset),
-      kCodeEntryPointTag);
+  return LoadObjectField<RawPtrT>(
+      cdc, IntPtrConstant(CodeDataContainer::kCodeEntryPointOffset));
 #else
   TNode<IntPtrT> object = BitcastTaggedToWord(code);
   return ReinterpretCast<RawPtrT>(

src/codegen/x64/macro-assembler-x64.cc

@@ -2217,10 +2217,8 @@ void TurboAssembler::LoadCodeObjectEntry(Register destination,
                                          Register code_object) {
   ASM_CODE_COMMENT(this);
   if (V8_EXTERNAL_CODE_SPACE_BOOL) {
-    LoadExternalPointerField(
-        destination,
-        FieldOperand(code_object, CodeDataContainer::kCodeEntryPointOffset),
-        kCodeEntryPointTag, kScratchRegister);
+    movq(destination,
+         FieldOperand(code_object, CodeDataContainer::kCodeEntryPointOffset));
     return;
   }
 
@@ -2287,11 +2285,8 @@ void TurboAssembler::LoadCodeDataContainerEntry(
     Register destination, Register code_data_container_object) {
   ASM_CODE_COMMENT(this);
   CHECK(V8_EXTERNAL_CODE_SPACE_BOOL);
-  LoadExternalPointerField(
-      destination,
-      FieldOperand(code_data_container_object,
-                   CodeDataContainer::kCodeEntryPointOffset),
-      kCodeEntryPointTag, kScratchRegister);
+  movq(destination, FieldOperand(code_data_container_object,
+                                 CodeDataContainer::kCodeEntryPointOffset));
 }
 
 void TurboAssembler::LoadCodeDataContainerCodeNonBuiltin(

src/compiler/wasm-compiler.cc

@@ -2951,9 +2951,10 @@ Node* WasmGraphBuilder::BuildCallRef(const wasm::FunctionSig* sig,
         wasm::ObjectAccess::ToTagged(WasmInternalFunction::kCodeOffset));
     Node* call_target;
     if (V8_EXTERNAL_CODE_SPACE_BOOL) {
-      call_target = BuildLoadExternalPointerFromObject(
-          wrapper_code, CodeDataContainer::kCodeEntryPointOffset,
-          kCodeEntryPointTag);
+      call_target =
+          gasm_->LoadFromObject(MachineType::Pointer(), wrapper_code,
+                                wasm::ObjectAccess::ToTagged(
+                                    CodeDataContainer::kCodeEntryPointOffset));
     } else {
       call_target = gasm_->IntAdd(
           wrapper_code, gasm_->IntPtrConstant(

src/objects/code-inl.h

@@ -1529,22 +1529,16 @@ Code CodeDataContainer::code(PtrComprCageBase cage_base,
 
 DEF_GETTER(CodeDataContainer, code_entry_point, Address) {
   CHECK(V8_EXTERNAL_CODE_SPACE_BOOL);
-  Isolate* isolate = GetIsolateForSandbox(*this);
-  return ReadExternalPointerField<kCodeEntryPointTag>(kCodeEntryPointOffset,
-                                                      isolate);
+  return ReadField<Address>(kCodeEntryPointOffset);
 }
 
-void CodeDataContainer::init_code_entry_point(Isolate* isolate,
-                                              Address initial_value) {
-  CHECK(V8_EXTERNAL_CODE_SPACE_BOOL);
-  InitExternalPointerField<kCodeEntryPointTag>(kCodeEntryPointOffset, isolate,
-                                               initial_value);
+void CodeDataContainer::init_code_entry_point(Isolate* isolate, Address value) {
+  set_code_entry_point(isolate, value);
 }
 
 void CodeDataContainer::set_code_entry_point(Isolate* isolate, Address value) {
   CHECK(V8_EXTERNAL_CODE_SPACE_BOOL);
-  WriteExternalPointerField<kCodeEntryPointTag>(kCodeEntryPointOffset, isolate,
-                                                value);
+  WriteField<Address>(kCodeEntryPointOffset, value);
 }
 
 void CodeDataContainer::SetCodeAndEntryPoint(Isolate* isolate_for_sandbox,

src/objects/code.h

@@ -255,7 +255,7 @@ class CodeDataContainer : public HeapObject {
   V(kCodeCageBaseUpper32BitsOffset,                                 \
     V8_EXTERNAL_CODE_SPACE_BOOL ? kTaggedSize : 0)                  \
   V(kCodeEntryPointOffset,                                          \
-    V8_EXTERNAL_CODE_SPACE_BOOL ? kExternalPointerSlotSize : 0)     \
+    V8_EXTERNAL_CODE_SPACE_BOOL ? kSystemPointerSize : 0)           \
   V(kFlagsOffset, V8_EXTERNAL_CODE_SPACE_BOOL ? kUInt16Size : 0)    \
   V(kBuiltinIdOffset, V8_EXTERNAL_CODE_SPACE_BOOL ? kInt16Size : 0) \
   V(kKindSpecificFlagsOffset, kInt32Size)                           \

src/objects/objects-body-descriptors-inl.h

@@ -1065,9 +1065,6 @@ class CodeDataContainer::BodyDescriptor final : public BodyDescriptorBase {
 
     if (V8_EXTERNAL_CODE_SPACE_BOOL) {
       v->VisitCodePointer(obj, obj.RawCodeField(kCodeOffset));
-      v->VisitExternalPointer(
-          obj, obj.RawExternalPointerField(kCodeEntryPointOffset),
-          kCodeEntryPointTag);
     }
   }